Aftermath of Salt Typhoon cyberattack: How to secure U.S. telecom networks?

Posted on by Alan Weissberger

Salt Typhoon Attack: On December 4, 2024, a top U.S. security agency representative confirmed reports that foreign actors, state-sponsored by the People’s Republic of China, infiltrated at least eight U.S. communications companies, compromising sensitive systems and exposing vulnerabilities in critical telecommunications infrastructure. This was part of a massive espionage campaign that has affected dozens of countries. Salt Typhoon has targeted telcos in dozens of countries for upward of two years, officials added.

Dated legacy network equipment and years of mergers and acquisitions are likely impeding the ability of telecommunications providers to prevent China inspired cyber-attacks. Until telecom operators fully secure their networks, China will keep finding ways to come back in, officials have warned.

  • On Thursday, FCC chair Jessica Rosenworcel proposed a new annual certification requirement for telecom companies to prove they have an up-to-date cybersecurity risk management plan. More below.
  • Senior Cybersecurity and Infrastructure Security Agency and FBI officials confirmed Tuesday that U.S. telcos are still struggling to keep the China-backed hackers out of their networks — and they have no timeline for when total eviction is possible.

FCC Chair Jessica Rosenworcel suggested ‘telecom carriers’ raise their network security methods and procedures: “The cybersecurity of our nation’s communications critical infrastructure is essential to promoting national security, public safety, and economic security,” said Rosenworcel. “As technology continues to advance, so does the capabilities of adversaries, which means the U.S. must adapt and reinforce our defenses. “While the Commission’s counterparts in the intelligence community are determining the scope and impact of the Salt Typhoon attack, we need to put in place a modern framework to help companies secure their networks and better prevent and respond to cyberattacks in the future.”

Rosenworcel’s plan is to make U.S. telcos submit some kind of annual certification to the FCC, proving their cybersecurity measures are up to scratch. The clear inference from the attack itself and all the subsequent attempts to shut the stable door after the horse has bolted is that those efforts currently fall short of the mark. Understandably, none of the specific deficiencies have been publicly detailed.

These proposed FCC measures have been made available to the five members of the Commission. They may choose to vote on them at any moment. If adopted, the Declaratory Ruling would take effect immediately. The Notice of Proposed Rulemaking, if adopted, would open for public comment the cybersecurity compliance framework, which is part of a broader effort to secure the nation’s communications infrastructure.

The FCC press release refers to a recent WSJ report based on an unpublished briefing from U.S. national security adviser Anne Neuberger, in which she detailed the scale of the Salt Typhoon attack. “The Chinese compromised private companies, exploiting vulnerabilities in their systems as part of a global Chinese campaign that’s affected dozens of countries around the world,” she was quoted as saying.

Illustration: Sarah Grillo/Axios

……………………………………………………………………………………………………………………………

Legacy network equipment and years of acquisitions have made it particularly difficult for telcos to patch every access point on their networks, Cliff Steinhauer, director of information security and engagement at the National Cybersecurity Alliance, told Axios.

  • Many of the systems in question are nearly 50 years old — like landline systems — and they were “never meant for the type of sensitive data and reliance that we have on them right now,” he said.
  • During an acquisition, a company could also miss a server when taking stock of all its newly acquired equipment, Steinhauer said. Network engineers are often inundated with security alerts that are hard to prioritize, he added.
  • U.S. telecommunications carriers are required to provide a way for law enforcement to wiretap calls as needed — providing another entry point for adversaries.

Many of the security problems telcos face require simple fixes, like implementing multifactor authentication or maintaining activity logs.

  • Even CISA’s recent guidance for securing networks focuses on the security basics.
  • But to keep China out, telcos would have to make sure that every device — including their legacy physical equipment, online servers and employees’ computers — is patched.

Most high-profile cyberattacks across industries come down to the basics: a compute server that didn’t have multifactor authentication turned on or an employee who was tricked into sharing their password.  Even if a company invests all of its resources in cybersecurity, it may not be enough to fend off a sophisticated nation-state like China.

  • These actors are skilled at covering their tracks: They could delete activity logs, pose as legitimate users, and route their traffic through compromised computers in the U.S. so they aren’t detected.
  • “You’ve got a persistent, motivated attacker with vast resources to poke and prod until they get in,” Mr. Steinhauer said.

References:

https://docs.fcc.gov/public/attachments/DOC-408015A1.pdf

https://www.axios.com/2024/12/06/telecom-cybersecurity-china-hack-us

https://www.wsj.com/politics/national-security/dozens-of-countries-hit-in-chinese-telecom-hacking-campaign-top-u-s-official-says-2a3a5cca

https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure

WSJ: T-Mobile hacked by cyber-espionage group linked to Chinese Intelligence agency

China backed Volt Typhoon has “pre-positioned” malware to disrupt U.S. critical infrastructure networks “on a scale greater than ever before”

One thought on “Aftermath of Salt Typhoon cyberattack: How to secure U.S. telecom networks?

  1. Salt Typhoon, began cyber-attacks in 2022. Its purpose, according to U.S. officials, was to give Chinese operatives persistent access to telecommunications networks across the U.S. by compromising devices like routers and switches run by companies like AT&T, Verizon, Lumen and others.

    This attack comes on the heels of reports that the FBI and Cybersecurity and Infrastructure Security Agency were assisting telephone companies with countering other China-connected compromises of their networks. The earlier hacking was part of an attack targeting people in the Washington area in government or political roles, including candidates for the 2024 presidential election.

    But Salt Typhoon is not just targeting Americans. Research from security vendor Trend Micro shows that attacks by Salt Typhoon compromised other critical infrastructure around the world in recent years. U.S. officials have confirmed these findings as well – and their level of concern is noteworthy.

    Chinese officials have denied the allegations that they’re behind this operation, as they have in response to allegations about previous cyberattacks.

    As a cybersecurity researcher, I find this attack is indeed breathtaking in its scope and severity. But it’s not surprising that such an incident took place. Many organizations of all sizes still fail to follow good cybersecurity practices, have limited resources, or operate IT infrastructures that are too complex to effectively monitor, manage and secure.

    How bad is it?
    Salt Typhoon exploited technical vulnerabilities in some of the cybersecurity products like firewalls used to protect large organizations. Once inside the network, the attackers used more conventional tools and knowledge to expand their reach, gather information, stay hidden and deploy malware for later use.

    According to the FBI, Salt Typhoon allowed Chinese officials to obtain a large amount of records showing where, when and who specific individuals were communicating with. In some cases, they noted that Salt Typhoon gave access to the contents of phone calls and text messages as well.

    Salt Typhoon also compromised the private portals, or backdoors, that telephone companies provide to law enforcement to request court-ordered monitoring of phone numbers pursuant to investigations. This is also the same portal that is used by U.S. intelligence to surveil foreign targets inside the United States.

    As a result, Salt Typhoon attackers may have obtained information about which Chinese spies and informants counterintelligence agencies were monitoring – knowledge that can help those targets try to evade such surveillance.

    On Dec. 3, the Cybersecurity and Infrastructure Security Agency, National Security Agency and FBI, along with their counterparts in Australia, New Zealand and Canada, released guidance to the public on how to address the Salt Typhoon attack. Their Enhanced Visibility and Hardening Guidance for Communications Infrastructure guide essentially reiterates best cybersecurity practices for organizations that could help mitigate the impact of Salt Typhoon or future copycat attacks.

    It does, however, include recommendations to protect specific telecommunication equipment for some of the Cisco products that were targeted in this attack.

    As of this writing, U.S. officials and affected companies have not been able to fully ascertain the scope, depth and severity of the attack – or remove the attackers from compromised systems – even though this attack has been ongoing for months.

    https://umbc.edu/stories/what-is-salt-typhoon-a-security-expert-explains-the-chinese-hackers-and-their-attack-on-us-telecommunications-networks/

    Reply

Leave a Reply

Your email address will not be published.

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>

*

 
 

 

Archives